TW200418297A - Multisignature scheme with message recovery for group authorization in mobile networks - Google Patents

Abstract

The present invention discloses an efficient multisignature scheme with message recovery for group authorization in unreliable networks, such as mobile networks, which have the property that communication links are unreliable and hosts are frequently unreachable. The present invention also provides a threshold multisignature scheme for group authorization in mobile network, based on the digital multisignature scheme, in which a multisignature is valid if t out of n signers signed it. The threshold multisignature scheme according to the present invention allows each participator to sign the same message separately, and then combines a quorum of individual signatures into a multisignature.

Description

200418297 说明, sprouting description (the description of the invention should state: the technical field to which the invention belongs, the prior art, the content, the embodiments and the drawings are simple_) [Technical field to which the invention belongs] The present invention relates to a type of 'for group authorization (Multisignature scheme) for group authorization, more specifically about an effective multisignature system for group authorization with message restoration function. This mechanism is used in an unreliable network system such as : Mobile network with the characteristics of unreliable communication and repeated failure to connect to the host. 10 200418297 [Previously torn] With the development of technology and semiconductor technology, computers have become widely popular, and information exchange through computer networks is increasing day by day. Therefore, information protection measures have attracted attention, such as the identification of information exchangers. At present, society has entered the informatization stage. Information will be like identifying goods, and the transmission of information through public communication networks is even more important. In contrast, the damage caused by illegal disclosure or alteration of information will continue to increase. 4i In order to prevent damage, the protection measures when transmitting information through communication networks such as public communication networks are of even greater concern, and related investigations are rapidly underway. For example: the identification mechanism (identiHcationscheme) has been proposed to allow the verification of the identity of the correspondent or the source of the received data when the data is exchanged through various communication paths, such as public communication networks; and the digital signature mechanism (digital signature mechanism) scheme), which is used to make a digital signature of an electronic file effective on the terminal before the communication program, wherein the digital signature is a two-digit serial signature encoded by an creator, replacing the traditional Handwritten signature on the document. The electronic signature mechanism enables the source of the transmitted documents to be identified such as: content confirmation and whether the documents have been altered illegally. In this identification mechanism and digital signature mechanism, it is assumed that p is a large prime number, q is another prime number used to divide p-1, g is a natural number between 1 and p ', and q of g Divide the power by p to get a remainder 1 (sgqmodp), then g, q and P are system coefficients usually used by users. Suppose each user randomly selects a number s between 1 and q as a secret key, and uses a remainder v (g · 5 mod p) obtained by dividing the -s power of g by p. Is a public key, and the public coefficients used by individual users are <, g, q, and P 0. It is difficult to find a secret key s from these public coefficients. True difficulty is also equivalent to computing a solution of a scattered logarithm. Many public key authentication mechanisms and digital signature mechanisms are based on difficult discrete logarithmic calculations. A digital signature can be considered a special form of a seal, and the digital signature is used by a trusted source (as if the seal is used for verification). There are three models of digital-signature mechanisms: a digital signature mechanism with attachments, a digital signature granting message reversion function, and a hybrid digital signature mechanism that integrates these methods. In the digital signature mechanism mode with attachments, the digital signature and its corresponding message are sent to one recipient at a time. The message itself is not encrypted and verified by the recipient. The well-known digital signature mechanism using the attachment mode is the ElGamal digital signature mechanism, which is based on the discrete logarithm problem. In a hybrid digital signature mechanism using an attachment type and a message restoration type, a digital signature of one message is appropriately generated into an attachment type or a message restoration type, which is based on the length of the signed message (2 Bit string) or signature purpose. For a short message, the hybrid signature mechanism uses a message restoration method, which reduces the amount of data for verifying digital signatures and reduces the need for communication. For a long message, when message-related information is included, the hybrid signature mechanism uses the attachment method. As mentioned above, the characteristic of this hybrid digital signature mechanism is that it can adaptively generate a digital signature based on the length of a signed message. 200418297 In the digital signature mechanism that grants the message restoration function, the signature message is hidden in the signature and can be restored from the signature. Message restoration has some significant advantages. First of all, small message signatures will require less bandwidth. Secondly, shorter certificates can be generated. In addition, the message restoration function can be directly used in other mechanisms such as: ElGamai encryption scheme or key agreement protocol. The well-known digital signature mechanism with message restoration function is the RSA digital signature mechanism. The foundation of the mechanism is based on the difficulty of-factoring large integers. In 994, Nyberg and Rueppp proposed the first mechanism based on scattered logarithms and capable of restoring information. The digital signature mechanism with message restoration function generates a digital signature for a message. In addition, if the two communication parties use the same system coefficient, by using the same algorithm as the digital signature, a session key can be generated as the secret mirror of the two parties. The digital signature mechanism of N-R (Nyberg-Rueppd) 's grant message restoration function will be explained below. Assume that the signer's system coefficients are g, q, and P, the secret key system is s (l < s < q), the public key system is v (mod p), and the signed message system is m. The signer selects an arbitrary number r between 1 and q, and calculates a remainder x (mod p) obtained by dividing the product of m and g to the power of -r by p. The signer's r is added to the secret key s multiplied by x. The result is .r + sx, and then a remainder y is calculated by dividing r + sx by p (^ r + sx mod q) . (X, y) is a digital signature with a message restoring function for restoring message m. In order to verify the digital signature (X, y), the verifier calculates a remainder (^ KgYvx mod p) obtained by dividing the product of X, g to the power of y, 200418297, and V to the power of x, divided by P, using To restore the message m. The verifier can verify the authenticity of the digital signature (x, y) by confirming the content of the restored message m. Here, the key exchange method will be described in detail, in which the same algorithm as the N-R digital signature mechanism is used, so that an agreement golden mirror is generated between users. Assume that users A and B use the system coefficients g, q, and p. The secret key of the user ία is sa, and the public key is vA (sg_sA mod p), and the secret gold of the user B is The key system is sb, and its public key system is vB (^ g'sBmod P). When user A and B want to generate a protocol key, user A selects an arbitrary number R or r between 1 and q, and calculates X (3Rg〃modp) and y (r + sA mod q ). The calculation result (x, y) is sent to B. User A calculates the protocol key K (< vb) r), which is the remainder obtained by dividing the power of R of user B's public key vB (mod ρ) by ρ. User B calculates gR (^ gY vax mod p) from (x, y) received by user A, thereby restoring gR, and calculates the remainder K (< gRVSBmodp) obtained by dividing the power of gR2-sB by ρ ). Therefore, with one transmission / reception, users A and B can generate agreement money _ with each other. For another secure key exchange that is based on the discrete logarithm problem, the Diffe-Hellman key exchange method has been proposed to generate an agreement gold record between two users. In this method, suppose two users A and B use g and q and P are system coefficients. The users A and B individually select two arbitrary numbers a and b between i and q, and calculate £ & and gb. If the calculated 200418297 / 出 〆 is exchanged with gig, users A and B will generally get K 値. The conventional digital signature mechanism usually only allows a single signatory to sign a message. However, for some network environments, the responsibility for signing a message may belong to a group of signers, and a message may require signing authority for multiple signers. In group-oriented applications, the group authorization of a message can be achieved by signing the digital signature of the group member on the message. In this method, a group of users can ... complete the authorization of the message by signing a message containing a program / document, and an external verifier can verify the signature and determine the authority of the requested message. For example: before a company's policy is implemented, it must be voted or signed by some managers; and the current authentication delegate is another application in an action code system. Therefore, it is necessary to provide a multiple signature method. A multiple signature is created by a group of signatories with multiple concepts of confidentiality. Generally speaking, one of the biggest differences between a handwritten multiple signature and a digit multiple signature is the size of the multiple signature. For a handwritten multiple signature, the size of the form is linear with the number of signers, but for a digital multiple signature, the size is exactly the same as a single signer. In a multiple signature mechanism, all members of the group cooperate to produce an effective multiple signature, and each member has the same responsibility for the signed message. In other words, the signer of a multi-signature is verified at the outset, and the authenticity of the multi-signature must be verified along with the user's public key. Therefore, any outsider can be confident that when the multiple signatures are created, each member of the group is a participant. 200418297 However, for these machines, the signer or signature sequence must still be determined in advance, or the size of a multiple signature will still be proportional to the number of signers. Consider a group #direction service as an example, the service is divided among multiple mobile servers, where the server may be a mobile device carried by a designated user. A client can send a request message containing a document / mobile code to any mobile server. Based on the request received, the delegate server will respond on behalf of the group of mobile servers. The representative server forwards the request to all available servers and waits for their response. If the representative server receives more than the legal number of responses from the mobile server, the task is successfully completed, and the representative server returns the result to the client. In this operation procedure, the mobile server participating in the calculation must be authenticated, so that illegal intrusion can be detected. That is, when the reply message is returned to the client, it must be signed through a quorum of a mobile server. This has motivated the need for a threshold multi-signature mechanism with the ability to restore information. In a reliable network, multiple signature mechanisms may be sufficient. However, it may not be enough for unreliable communication links and mobile networks that repeatedly fail to reach the host. In addition, in the multi-signature mechanism, an external verifier needs to use all public keys of members of the group to verify the authenticity of the multi-signature. In this way, the validator can be confident that each member is a participant in the multi-signature. The verifier's concern is that a message must be signed by at least one of the members, and that the member must be truly from that group. However, the verifier was unable to verify whether a group member was involved in the generation of multiple signatures for the group. Therefore, the multi-signature mechanism used in these applications is not feasible in these applications, and should be replaced by the (Λ /?) Threshold multi-signature mechanism. In the (Λ / 0 threshold multi-signature mechanism, r or even more members of the same group + cooperate to generate a valid group signature. When a verification ~ certifier needs to verify the authenticity of the signature, the verifier The public keys of all members need to be used to obtain the public keys of the group. Because the group public keys are obtained by the public keys of all members, not the actual participants, the validator cannot verify Participants are identified. Digital multi-signature mechanism and (Λ threshold multi-signature mechanism have been proposed in the past literature. In 1994, L. Harri proposed a parallel digital multi-signature based on the discrete logarithm problem. Mechanism, see " Group-oriented (t, η) threshold digital signature scheme and digital multisignature ,, r IEE Proc. Of Computers and Digital Technique., Vol. 141, No. 5, pp. 307-3 13, Sep. 1994: The parallel digital multiple signature mechanism allows multiple signers to sign the same message separately, and sends the individual signing message to a designated clerk, which makes each individual sign The signature comes into effect, and then all individual signatures are combined into a multiple signature. In addition, Harri developed the multiple signature mechanism into a parallel (Λ / 2) threshold multiple signature mechanism, as seen in "New digital signature scheme based on discrete logarithm," Electronics Letters ^ Vol. 30, No. 5, pp. 396-298, Mai *. 1994. In U, / 7) Threshold multiple signature mechanism, T or more members of this group cooperate to generate one A valid group signature, and the verifier can verify the authenticity of the group signature without identifying the individual signer. However, the mechanism proposed by Harn has a higher cost of information exchange between signers. In addition, the mechanism The message restoration function is not supported, and the message 200418297 is not encrypted. In addition, Langford introduced the Digital Signature Standard (DSS) for the first time, which is based on the (t, η) threshold multiple signatures. See “Threshold” DSS Signatures without a Trusted Party, "Advances in Cryptology _ Crypto, 95 proceedings, Springer-Verlag pp. 397-409, 1995. An enhanced version of the secret sharing technique is used to generate the shared part of the private key before the private key is actually formed. Two general threshold DSS multiple digital signature mechanisms have been proposed. The first t-out-of-n gate spam mechanism relies on a shared pre-computed Ust to prevent sharers from signing more than one message with the same k 値. The second mechanism requires the participation of 7 signatories to achieve the t-out-of-n security mechanism. Therefore, it is an unrealistic situation for large companies. The mechanism proposed by Langford has a identifiable level of security, but 尙 does not mention the problem of message restoration. SMeh et al. Proposed another parallel digital multi-signature mechanism for group-oriented and based on the discrete logarithm problem, see "Digital Multisignature Schemes for Authenticating Delegates in Mobile Code Systems," IEEE Transactions on Vehicular Technology, Vol. 49 , No. 4, July 2000, pp. 1464-1473. This mechanism provides the ability to restore information and requires less information exchange costs than the mechanism proposed by Harn. The mechanism does not sign messages to each pair of the mechanism The exchange between signers is different from Harn's mechanism. However, this mechanism requires an additional notary who has mutual trust to participate in the signature generation stage. The mechanism does not allow the connection between the host and the communication to fail, and is not designed for mobile communication With reference to Figure 1, this figure shows a table illustrating a digital signature mechanism, which is the prior art of US Patent No. 5,966,445 issued to Park et al., Entitled "Identification scheme single or muiti- digital signature scheme giving message recovery single or multi-digitdi signature scheme with appe ndix key exchange scheme and blind digital signature scheme ". It reveals an authentication mechanism that allows a prover to more surely identify himself to a verifier, and prevents reuse of used authentication information; Key exchange, in which a common secret key is used between the two uses, in order to not allow improper use by an unauthorized person; a digital signature mechanism granting a message restoration function and a digital signature mechanism with an attachment, and According to the size of a signed message, it is used to generate a digital signature in the form of a restored message or an attachment; a multi-digital signature mechanism is used to allow multiple signers to generate digital information about the same message Signature, and based on the length of a signed message, the digital signature is generated as a message restoration form or with an attachment; and a blind digital signature mechanism is used when the signed message should not be open to the public Occasionally occurs with signatories, so a signatory does not know what is on the message. However, despite these System 'of the signer and the signature sequence must still decide beforehand, or a multiple of the size of the signature change in the number of signatories and still proportional. And these mechanisms often lack the ability to restore information or support group authorization in mobile networks. 200418297 In view of this, it is necessary to provide a new (Λ 77) threshold multi-signature mechanism with a message restoration function, which integrates (Λ / 7) threshold secret sharing scheme and multi-signature The principle of the chapter mechanism, the (习 /?) Threshold secret sharing mechanism is used to decompose the main secret into ^ projections. In this method, unless each r projection is aggregated, the main secret cannot be restored. It is not easy to integrate the threshold secret direct connection mechanism and multi-child machine # 〃. «[Content] The main purpose of the present invention is to provide an effective digital multi-signature mechanism with the characteristics of message restoration to overcome the disadvantages of the prior art. A secondary objective of the present invention is to provide a (Λ-knife) threshold multiple signature mechanism developed from a multiple signature mechanism. The threshold multiple signature mechanism also has information restoration capabilities and supports group authorization in a mobile network. According to the main purpose of the present invention, it provides a computer-implemented method of a multiple signature mechanism with a message restoration function for generating and verifying a digital signature. The system coefficient is a large prime number / 7, α and a one-way hash function (one-way hash function) Η: multiple signers generate a continuous digital signature for a message m; and at 0 and ;; " Randomly select its private key Xt such that gcdiX ^, = 1 and then calculate Y1 = (c〇Xi mod /; as its public key, the method includes the following steps: multiple signers One of the initial signers signs the message M with appropriate redundancy, and M is encrypted with the signer's private key 10 200418297 χ to become a ciphertext m; between 1 and / 7-1 Select a random number h, and calculate a remainder rl (= [m · (a) -klf mod p) obtained by dividing the product of the message m with P, and calculate a result from [XI-(上 /-rl )] The remainder sl (Ξ [XI-(i /-rl)] divided by P-1 is transmitted (~

Sl, (M)) to all other signatories. An i-th signer (of which 2 S i S /?) Uses Y1 · rl · (a) rl-sl to restore the ciphertext m, where the ciphertext m of f 6 is marked here as m '; and The authenticity of the signature (n, Sl) is verified by using the public key of the initial signer. Does the i-th signer (of which 2 Si ^ / 7) receive (n, s ^, H (M)) choose a random number between 1 and P-1, and calculates from (a) -i: / and The remainder ri (ξ [m · (c〇 士) παί / / 0 and the remainder si obtained by dividing [Xi-(h-ri)] by p-1 (ξ [Xi-(h ·-ri)]; return (n, Sl) to the initial signatory. According to any individual signature received (n, of which 2 S i 2 η, the initial signatory Use Yi · ri · (a) ri-si to restore the ciphertext m, and use the public key of the i-th signer to verify the authenticity of the individual signature (n, sO. The initial signer calculates R ( s [m · (a)-(ir / -rl)-…-(hr /?)] mod / 7) and S (ξ Ri. [si + s2 + ··. + s; 7] mod (/ Μ )), Combine a multi-signature (R, S, H (M)) for the message M with n signers; and send the multi-signature to an external verifier. The external verification is based on the received The combined multiple digital signature (R, S, H (M)) for message M verifies the authenticity of the multiple signature, and by using the public keys Y of all signers, (its ($ 1 S force) to restore the message m from multiple signatures. According to another object of the present invention, it provides a computer implementation of a 200418297 (t, η) threshold multiple signature mechanism with a message restoration function. Method / used to generate and verify digital signatures, where the system coefficient is a large prime A α and a one-way hash function Η, multiple signatures are used to generate a continuous digital signature for a message m Chapter, and randomly select its private key between 0 and 0 so that gCiKXi, less /) = 1, and then calculate 丨 Ξ (a) Xi mod as its public golden mirror, the method includes the following steps: a ·: The signatory selects a random polynomial with M term in the factory…, so that π—… —— 山. ~ / &Quot; mod (Ρ- /), where U is the privacy of the i-th signer Using a key; and in a secure channel will be transmitted to 仏 (where 1 2 j S η, and j # i) and broadcast ^ (~ > 111 (3 (1/7, one of multiple signatory initial The signer signs a message M with appropriate redundancy, and M is encrypted by the signer's private key Xi The ciphertext m; choose a random number h between 1 and; 7-1, and calculate a remainder rl (ξ [πι · (a)- i7] 727 ^ / 0, and calculate one. The remainder sl (4X1-U7 rl) + QiLl] / 77W obtained by dividing [Χία /-rl) + OlLl] by p-1. Transfer (n, si, H ( M)) to all other signatories; among them only 仏 knows each one, so -1 can only borrow L, Ξ (ΓΤ —— mod (pl)) is calculated by the UI (any of which is ancient 1), and because l値 has no secret information, so it is public. The i-th signer (of which 2 s 1 幺 / 0 uses Y1 · · rl · (c0rl-sl to restore the ciphertext m; 12 200418297 and verify the using the public key of the initial signer The authenticity of the signature (ri ,; where the reduced ciphertext m is marked as, and λχ ξ Y] L〇 ^ / j (Xl) mod (/ 7-l) j ^ t + l. The i-th signature (Where 2 Si Sr) receives (n, st, H (M)), chooses a random number between 1 and /;-1, and calculates the product of (a) f and message m divided by P And the remainder ri (5 /?) Of ， and calculate the remainder κ number si (4Xi-(β-η)-QiLi] 守-/ divided by [Xi-(β-ri)-QiLi] Pi- / Knife; and return (n, to Ω / Ξ the initial signatory, where ㈣ and L, ξ ΓΤ —mod (p -1) k-l9k ^ i-"k 〇 according to any individual signature received (Η, s,), where 2 S i < t, the initial signer uses Yi · λΐ · ri · (a) ri-si to restore the ciphertext m, and borrows the open money of the first signer Key to verify the authenticity of this λί = Y \ afjiXi) mod {pl) signature (n, Si); where > ί + 1. The initial signatory count R (= (m · (a)-U / -rl)-···-(private) mod; 7) and S (R-1 · [si + s2 +. · + Sr] mod QM)) , Combining a multi-signature (R, S, Η (M)) for the message M containing n signers; and sending the multi-signature to an external verifier. According to the received multi-signature for the message M Combined multiple digital signatures (R, S, H (M)), an external verifier verifies the authenticity of the multiple signatures, and by using the public keys of all signers (1 S i S 77) The message m is restored from multiple signatures. 13 200418297 In order to make the above and other purposes, features, and advantages of this creation more apparent, the following describes the preferred embodiment of this creation in conjunction with the accompanying drawings for detailed explanation. The following is a detailed description of the preferred embodiment of the present invention and detailed description with reference to the accompanying drawings. An effective multi-signature mechanism with a message restoration function The first figure shows a method for explaining A form of multiple signature mechanisms for message restoration. Consider a mobile communications application in which delegated accesse can be applied On the wireless Internet, this is done by sending a message with an action code. With multiple signatures, all delegates can sign the action code in a parallel manner, so the receiver can identify the action code. The signer and determines the access rights of the mobile code. The present invention provides a new and effective multi-signature mechanism based on scattered logarithms and with a message reduction function. The public information is composed of a prime number / 7, a * natural number 0t, a public key Yi of a member Ui, and the signature. And does the secret information include the member's private key meaning and random number? The mechanism of the present invention is now given for security analysis. Let Θ be a large prime number, α be an element in the finite field GF (p) generated by the prime number p, and a one-way hash function H. All members know a α and H. Each member randomly selects their private key meaning between 0 and 0, so that gccKX ,, P- /) = 1, and then calculates Y: s (a) Xi mode as its public key. 14 200418297 There is a member who wants to sign a message Me Z / 7, and it can be concisely assumed. The members are Ui, U2, ···, υη · ι, and Un. Unlike the mechanism proposed by Harn, the mechanism of the present invention does not require a designated registrar. The initial signer U! Acts as the original signer who first signs the message M and informs the other members to sign the message M. The IL is also responsible for assembling and validating the individual signatures (of which 2 Si < /?) Of each IL, and generating a set of multiple signatures for all members in the message M. The mechanism of the present invention is composed of the following stages: the individual signature production stage, the multiple signature generation stage, and the multiple signature identification stage. Individual signature generation phase-Basic individual signature generation: When U! Signs the message M with appropriate redundancy, the card uses its private key to encrypt M. Let m be the ciphertext of M. Select a random number h between 1 and Θ-1 and calculate rl ^ [m · (a) -Jcl] mod p (1) si ^ [xi, (^ /. Ri)] m〇d (p -1) (2) The basic signature signed by U! In message M is composed of (n, s !, H (M)). After signing the message M, 仏 will send (n, Sl, H (M)) to all other members IL ·, IL ·, ..., and U, and save the number b in private. -Identification of basic individual signatures: When other member U, (of which 2 S i S 77) receives (n, Sl, H (M)) 'U, will try to restore the ciphertext m, and by using ⑴ Public key to verify 15 200418297 the basic individual signature (n, sO's authenticity. IL executes the following / equation to restore m: Y1 · rl · (a) rl-sl = [(α) χ1 · m · (α)-^ Γ · (a) -Xl + ^ /] modp = m mod p (3) In order not to confuse, here we mark the restored m as m ', U, using the public key of U! to m 'Decrypt as the text M' (plaintexi M '), and check whether M' satisfies the equation Η (Μ '): H (M) mod ρ. With equation (3), IL also verified the basic individual signature ( The authenticity of n, s ").-If the generation of individual signatures agrees with the content of M, the following steps will be used to sign m, and its individual signature will be generated. Step 1: Randomly select a number between 1 and between 'And calculate ri = [m · (α)-^ Ί mod ρ (4) Step 2 · Solve the equation si = [Xi-(ki-ri)] mod (p-1) (5) IL in the message The individual signatures in M are composed of (ri, sO). The IL generates the individual signatures of the message M After that, it will return (h sd to the initiator, and save the number privately. Multi-signature generation stage-verification of individual signatures: according to any of the individual signatures received (r :, Sl) 'of which 2 $ 1 $ n '16 200418297 ⑴ will try to restore the ciphertext m, and use the public key of U: to verify the authenticity of the individual signature (n, s〇. With the implementation of formula (6), U! Can restore the message m.

Yi · ri · (a) ri-si ^ [(a) Xi · m · (a) -ki · (a) -Xi + ^ /] mod p ξ m 'mod p (6) is reduced by equation (6) The message m 'then compares the restored message with the original message sent to it, and checks whether the two messages are consistent. If the two messages are consistent, the authenticity of the individual signature (n, Sl) is verified. When the verification of the individual signature is passed, that is, when the information restored from the individual signature is consistent with the original message, then the IL will execute (〇〇- 七 // 27 (^ ; 7 is restored by 1: 1. Ri · m-1 ^ [m · {a) -ki · m-1] mod p = (a) -ir / mod p (7)- Receive all individual signatures, and all the individual signatures are verified. Then all (α) -β systems are calculated, and then R and S can be calculated, which are defined as R ξ [rl · (a) -i: 2 · … · (Α) -々77 · (a) / 7 · ... · (a) // 7] mod / 7 (8) Ξ [m · (o) -kΙλ-xl -k2Jrx2-k3Jrx3 -...- kn-vin] mod p Ξ [m · (a)-(17-rl)-· * ·-(kn-xn)] mod p S = Rl · [si + s2 + · .. + s / 7] mod (/ 7-1) Then, the combination of IL, U2, ..., and U, used for this message is 17 (9) 200418297. The resignature is (R, S, H (M)).传送 Pass the multiple signatures to an external verifier. The multi-signature verification phase is based on the combined multi-signature (R, S, Η (Μ)) of the received message M. An external verifier must use the public keys of all signers Υ »(its Φ 1 S i S / 7) verifies the authenticity of the multiple signatures, and restores 1 m from the multiple signatures. The group public key Y associated with all signers is determined by equation (10). Υ ξ Π Yi mod p, where l < i < η (10) The procedure for reduction and verification is as follows: Step 1: Calculate Y · R · (〇c) -SR (11) ξ [(α ) (Χ1 + ... + Χ / 7) · m · (α)-^: 7 + Γΐ-^ + Γ2 ...- 1 /? + Γ / 7 · (a) -Xl + l / -ri -X2 + U-r2 · ~~~ Xn ^ kn-m] mod p ξ m 'mod p Step 2: Use IL's public key to decrypt m' into this article M '' and restore it from the test formula (11) Whether M ′ satisfies the equation H (M ') = H (M) mod / 7. If M 'satisfies this equation, the authenticity of the combined multi-signature is verified. Threshold multiple signature mechanism with message restoration function The third figure shows a table for explaining a threshold multiple signature mechanism with message restoration function 200418297 according to the present invention. Although the multi-signature mechanism can share the responsibility of signing messages between a group of signers, it cannot prevent a verifier from guaranteeing that a member > is a true participant of a multi-signature. In some applications, the most validator's concern is that a message is signed by the legal minimum number of people in the group. But the validator must be prevented from verifying that someone is actually involved in generating one of the group's signatures. In this case: a (Λ / 7) threshold multiple signature mechanism is required. By improving the multi-signature mechanism described in Section 3, a threshold multi-signature mechanism with the function of information restoration is designed. For simplicity, the following symbols are the same as those used in the second figure. And mathematical proof will be used to prove that the mechanism of the present invention can be correctly implemented. It is concise to assume that these signatories from the / 7 members are Ui, u2, ..., and Ut. The initial signer lh acts as the initial signer, that is, the first signer, and informs the other participants to sign the message M.仏 is also responsible for assembling and verifying all individual signatures (where 2 < i ^ / 7), and generating a combined multiple signature for all members in message M. The mechanism of the present invention is composed of the following phases: a private key sharing phase, an individual signature generation phase, a multiple signature generation phase, and a multiple signature identification phase. Preliminary: Private key sharing phase When the system starts to operate, each group member must act as a dealer based on the (Λ / 7) threshold. The secret sharing mechanism distributes the projection of their secret key to other group members. Suppose Zl is the public information associated with member Ui, and X: is the private key of U ,. Each group member selects a random 19 ^ 041 ^ 297 polynomial meaning (meaning) in 厶 ./ such that — u, + mod (W), where χ. Is the private key of 仏. Then Ui is in a secure channel. First, f M is sent to 1 ^ (where 1 Sj Sn, and j # i), and mod p is broadcast. If a new member U w wants to participate in the system, the member must first randomly select his private key between 0 and P- /, so that gccKX /, is * 1. .h Then all members must repeat the secret key sharing procedure described above in accordance with the (Λ / 7 + 1) threshold secret sharing mechanism. Individual signature generation phase-Basic individual signature generation When the first signatory does not want to sign the message M with appropriate redundancy, the IL is encrypted using its private key μ. Let m be the ciphertext of μ. Then 仏 selects a random number h between 1 and 7-1, and calculates η and Sl. rl = [m · (α)-^ /] mod p (21). si = [XI-(Jcl-rl) + Q1L1] mod (ρΊ) (22) Ω1 Ξ i) A Ξ ΓΙ ^ -mod ( j7 ~ l) in j = t ^ l, and; t = U = l.An · 厶 i one of / fc, and Ω1 can only be calculated by Ih, because only 仏 knows that each is a dagger), any of them θ 1 〇 And because the 値 of L1 has nothing to do with any secret information, 20 200418297 uses L1 値 as the public. 'The basic signature signed by U! In message M is composed of (n, Sl, part. And after signing message M, Ui sends (n, Si, H (M)) all other members U2, lh, ... , And U :, and keep the number h privately.-Identification of basic individual signatures: When any member IL (of which 2 S i S r) receives (n, H (M)), U, will try to restore The ciphertext m, and the authenticity of the basic individual signature (n, Sl) is verified by using the public key of 仏. Ui first executes the following equation to restore m Y1 · XlLi · rl · (a) rl- sl (23) three [(α) × 1 · (α) Ω1M · m · (a) i / · (a) rl-XI +-rl-QlLl] mod p ξ m 'mod p Ξ niod (pl) where 〇 Then U, decrypts m 'into the text M' 'using the public key of IL and checks whether M' is derived from equation (23) S and satisfies the equation H (M) = H (M) mod / 7. (23), IL also verified the authenticity of the basic individual signature (n, sd.-If the individual signature is generated if it agrees with the content of M, it will follow the steps below to sign m 'and generate its individual signature. 200418297 Step 1: Randomly select a number between 1 and ΐι, Calculate ri ^ [m · mod p (24) / Step 2: Solve the equation si Ξ [Xi. (Ki-π)-ΩιΙι] mod (p ^ l) f 25) Ωί = ^ fjiz ^ modip-l) Α · Ξ Π — mod (p ~ l) where Lu Shi 1 and k = 1, k, right, Zi, B, and k IL. The individual signatures in the message M are composed of two parts (n, Si).

After Ui generates the individual signature of the message M, it will return (n, Sl) to the initiator lh, and save the number privately. Multi-signature generation phase-verification of individual signatures: According to any individual signature (n, s,) received, of which 2 SS r, 仏 will try to restore the message m and borrow the public key of 仏To verify the authenticity of the individual signature (n, Sl). U! Restore the message m is done by the following formula:

YiAiL, · ri · (a) n-si (26)

e [(a) Xi · (a) QiLi · m · (c〇-h. · (a) ri-Xi + 々 /-ri-OiLi] 777 < 9c / P = m * mod p 200418297 η Λ = PJ ° ^ fj (χ,) m〇d (ρ -1) where M + 1 0 restores the message m 'by formula (26). Then, IL compares m with the original message sent to U: and checks Are the two messages consistent? If the two messages are consistent, the authenticity of the individual signature (n, Sl) is verified. When the individual signature is verified, the message restored from the individual signature and the The original information is consistent, Ui will be restored by η, by executing ri · m-1 ^ [m · (a) -Jci · m-1] mod p = {〇) -ki mod p (27)-combined multiple Generation of signatures Once the IL receives all the individual signatures that have passed verification, Ih then calculates all (a) -h, R, and S, which are defined as follows: R ξ [rl · (a) -Jc2 * ... · (A) -iri · (a) rl · ... · (a) r /] mod p (28) ξ [m · (a) -17 + rl-^ + r2-i: j > + r3- ...- I ^ + rr] mod p ξ [m · (a)-(kl-rl)-***-(kt-rt)] mod p S ξ Rl · [si + s2 + ... + st] mod (p-1) (29) Then, for the message 111, 1,112, ... 11〃 / and 11, the combined multi-signature-based weight of (R, s, H (M)).传送 Pass the multiple signatures to the verifier. The multi-signature verification phase receives the combined multi-signature (R, S,) 23 200418297 for message M. An external verifier must then use the public keys Yi of all signers (1 S i S 77 ) · To verify the authenticity of the multiple signatures, and restore the message m from the multiple signatures. The group public key Y associated with all signers is determined by equation (30). Y = ΠΥϊ mod / 7, where l < i < η (30; The procedure for the reduction and verification is as follows: Step 1: Calculate Y · R · (a) -SR (31) = [(a) (Xl + ... + Xt + Xt + l + ... + X77) -m · (a) -l / + rlU + r2U + r3 -...- ir / + rt · (α) -χ1 + /-Γ1-Χ2+β-Γ2.···.· — Xt + 丄 r-rt-Xt + 1 -...- Χπ] mod ;? Ξπι 'mod p Step 2: Decrypt m' into the text M ' , And the test formula (31) is restored: ^ 1 'satisfies the equation: ^') = out: ^) 1110 (1; 7. If: ^ 'satisfies the equation, the combined signature is multi-signature The authenticity is verified. Security analysis of effective multi-signature mechanism with message restoration function The multi-signature mechanism with message restoration function of the present invention may be attacked, which can be divided into three types according to the analysis results The first type of infringement is to obtain the private key of the group member. The second type of infringement is to forge the signature (n, Sl) or any multiple signatures (R, S). The third type of infringement is To expose the message in the signature 200418297 Infringement targeted for obtaining private keys Infringement 1: Desire Get a signer ’s private key. There are three possible ways to obtain the private key of any group member: 1. Instantly restore the brother from Yt. Because Υ, Ξ, the member is removed from the corresponding public key Yi. The restoration of the private key X of the IL is equivalent to solving the problem of the discrete logarithm. 2. Xi is determined in the group of multiple signatures generated by the IL.... Of multiple signatures {(ru, s ^), (n.2, Si.2), ..., (nw, Sl, w)}, an intruder may be able to try to unlock the form su ξ Xi-( -Ru) mod (;?-1) w equation (where 1 S w). Because w + 1 terms are unknown (because each multi-signature uses a different secret iru), the system of this equation The system is not completely determined, and Ui ’s private key system is safe. 3. Restore any secrets _. /, And then decide by Xi that an intruder may want to restore some 直接. ≫ directly, or The system of solving the above equation Ξ Xi d-ru) mod (/ 7-1) is used to determine Ly. If an intruder can get some secret number Lv, then by solving the equation ~-iv, "mod (/?-1) can be determined. Although each person may be able to combine multiple signatures generated by a set of ILs, it is not feasible to calculate any secret number by solving the system of the equation. Because the unknown number is one more than the number of equations. On the other hand, restoring the number from (α) -々 /, y · / 77 (9 (^ / 7) is equivalent to solving the problem of scattered logarithm. Infringement 2: Conspiracy 25 200418297 When the private use of some members When the gold mine is revealed or a group of legal members conspired, the private keys of any other members will be leaked. Suppose a group of legal members (Uu, Ul, 2, ..., UL.t) conspired (of which 2 < ί < / 7-1), or the private gold mirrors of members of the group have been exposed. In this situation, 'Suitable Cheng Jin's private gold XL, j and secret number (where 1 ^ jst) are No longer secure. If the group's co-conspirators or intruders want to obtain the private keys of other members, the only method available to the group's co-conspirators or intruders is the same as described in Invasion 1. Therefore, although members The private key was leaked or conspired by a group of legitimate members, but the security issues of the other members were still not compromised. Infringements for the purpose of forging the seal 3: The forger may only want to forge the first signer by using only public information Individual signatures (ri, Si) signed by 其中, of which 1 S j S η, or forged by the signatory 仏Multiple signatures (R, S) of any known message M signed. There are three ways to forge individual signatures (n, Sl) or multiple signatures (R, S): If a counterfeiter fixes M and η, And if you want to calculate a 51 値 that satisfies M Γι · (a) n-si, then the calculation of solving Si 値 is equal to solving the problem of the logarithm of dispersion. If a counterfeiter fixes M and η, and want to calculate a satisfiable 5; 1- (L-n) $ 1 値, and then the solution of Sl is equal to obtaining the private key brother or the random secret described in the violation 1. The violation is called a substitution attack , And the following analysis. Infringement 4: Forgery has a strong form, and one of the forgers who knows a message M with the corresponding signature 26 200418297 can generate some special message form M = m · (a) e 777M / 7 effective signature. Although the result of the MZ is beyond control, the stronger form of the forged violation is still harmful to all ElGamal mechanisms and the RSA system; the typical prevention of this violation is through one-way A hash function or a redundant mechanism is used to complete it, and how the substitution infringement affects it will be mentioned later. The structure of combined multi-signature. A forger may choose any two integers A and B before Zp, and •-calculate R 'Ξ Μ · (α)-ΑB mod pe = A · (R,-B) Let Lets' = A, then the pair (R ', S') is the combined multi-signature of the message M '= M · (a) e mod / 7. When any validator receives (R', S '), M ′ can be restored from this multiple signature by executing Υ · R' · (cc) -S 'R, three [Y · Μ · (〇c) -AB · (a) -AR ,] Mod p ξ [M · (a) A (R, -B)] mod p ξ [M · (a) e] mod p ξ M 'mod p In this way, a counterfeiter can impersonate an initiator And uses a similar operation to generate a forged valid basic signature for certain uncontrolled messages. Therefore, even if the individual signature cannot be forged, the mechanism still needs a one-way hash function or a suitable redundancy mechanism to prevent such infringement. Violation of Disclosure Message Violation 5: Disclosure of Signed Message 27 200418297

The multi-signature machine with a message restoration function proposed by the present invention does not guarantee the privacy of the signed message. For example: as long as any person can intercept individual signatures (n, Sl) or multiple signatures (R, S) of υ, they can use _public information A a, Yi, ..., and γ. (6 ) Or (11), restore the original message M. The reason for proposing a mechanism without data protection is because many applications that use digital signatures allow the content of the message to be revealed. If the privacy of the signed message is important, only an additional encryption procedure is needed to strengthen the mechanism proposed by the present invention. The encryption process is straightforward. In short, the sender U uses the public key 元素 ρ of the receiver U to encrypt its individual signature element ri:

Ci ^ [(Yj)-ki ^ rii · ri] mod p That is, the original signature (n, Si) was replaced by (Ci, Si) 'When the IL receives the signature, the UH is based on the following steps Restore ^: Step 1: Calculate [Yj · (a) -si] mod ρ ξ [(a) Xi · (a)-[Xi-{ki-ri)]] mod p Ξ (a) (i: / -ri) mod p Step 2: Calculate (a (ki-ri)) Xj mod p ^ (aXj) (i: /-ri) mod = (Yj) (ir / -ri) mod p Step 3: Change n from Ci reduction is performed by performing [{Y)) {ki-π) · Ci] mod ρ = (Yi) * π) · (Yj) (-ir / + ri) · π mod ^ ξ ri mod p

2S 200418297 In this way, the IL can obtain the original signature (n, s0, and restore the message M in accordance with Section 3.1, and authenticate the signature. Because only U has a private key brother, an interceptor cannot borrow The above three steps will decrypt n. Therefore, the signed message M is still confidential. Security analysis of the (Λ J) threshold multiple signature mechanism with message restoration function is obvious. The multiple threshold threshold mechanism proposed by the present invention can resist The same violations as above, that is, the violation of obtaining confidential information, the violation of forged signatures, and the disclosure of information can be prevented.

In addition, by formula (25), when an invader wants to impersonate a legitimate member to generate a unique signature (n, Sl), he must first know Ui's secret key and secret shadows' (&), Where IS, but the infringement is difficult, because the desire to obtain from public information is equivalent to solving the logarithm problem. Comparison The functions and communication costs of the mechanism of the present invention and the prior art are compared here. In Harn's parallel multi-signature mechanism, if / 7 participants are required to sign a message, each participant must calculate a fresh value η for signing and send the newly signed message to all other Participants. When sending the signing message between each pair of signers' must use an order of magnitude message. Because the new signature for signing a message must be transmitted to all other signers, the signatory must be determined in advance. This requirement also limits the use of this mechanism. 29 200418297

Harri's (Λ /?) Threshold multiple mechanism is similar to Hari's multiple signature mechanism. One

The r signatories must be determined in advance, and the number of messages required for a new exchange between righteous signers is in the order of magnitude. This requirement restricts the use of Ham's (Λ //) threshold multiple mechanisms in mobile networks, where some signers of the mobile network may fail to connect due to the failure of mobile nodes or communication links. In the mobile network, it is somewhat impractical to request a mobile application to determine the f signers in advance. Instead, the action application must dynamically determine the signer of the connection to choose the signer.

Langford proposes two mechanisms. The first threshold mechanism requires a trusted key generation center to pre-calculate and store the shared part for each individual signature. Although the risk of single pomt failure can be reduced by using multiple trust centers, the trust center may still be a bottleneck or infringement point for implementation. In addition, the mechanism assumes that there is a secure channel for the trust center to use a secure method to distribute the secret sharing portion to the signatory. During the signature generation phase, the construction of the secure channel requires the cooperation of additional security protocols / structures. The threshold (〖, /?) Multi-signature mechanism will be difficult to use due to the frequent failure of nodes or links in the mobile network '. In this case, some signers or the trust center itself may not be able to connect. In the second mechanism, the trust center is removed, but a combination (comMner) still needs to gather and integrate individual signatures. The mechanism also assumes the existence of the secure channel, which is used for the exchange of 30 200418297 messages through additional security protocols or techniques. In this mechanism, a pre-determined distribution group system / needs to assist in the generation of the sharing part, and among all signers, the number of messages exchanged for signing # is in the order of magnitude 仏 0. In order to achieve the security of r-OUt-〇f- / 7, a signer is required to participate in the signing process. This requirement makes the second mechanism impractical for a large t when the author point is out of bounds, since 〆 must be less than or equal to / 7 値. Compared with other mechanisms, the first multi-signature mechanism proposed by the present invention is to support the ability to restore information and allow the signatories to be determined in a dynamic manner. In addition to the orders of magnitude required for signature generation, there is no need for any signing messages to be exchanged between each pair of signers. The mechanism has also been extended to groups that support mobile networks. The conventional multi-signature mechanism and threshold multi-mechanism cannot be implemented in unreliable networks such as: mobile network, because all signers in the mechanism must be determined in advance, and each signatory must receive all signature Signing message. On unreliable networks, some signers may not be able to connect for a certain period of time. After comparison, the performance of the (t, η) threshold multi-signature mechanism in the mobile network proposed by the present invention is efficient, because the signer does not need to be determined in advance, and the reason why the communication link and the host fail Can be allowed. The reply of a statutory number of signatures is enough to construct a threshold for multiple signatures. The comparison results are summarized in Table 1. The top series includes seven different types of mechanisms, including three multi-signature mechanisms and four (Λ / 7) threshold multi-signature mechanisms. Each entry in the table indicates the characteristics of a mechanism related to an estimate. The definitions of the items used in the table are as follows: 31 η Number of participants t Threshold number of connected signers MS Jiang re-signature mechanism TMS threshold multi-signature mechanism, MR message restoration TC Trust Center The previous technologies compared among them are: 200418297 [1] L. Harn, " Group-oriented (t, n) threshold digital signature scheme and digital multisignature, " IEE Proc. Of Computers and Digital Technique., Vol. 141, No. 5, pp. 307-313 , Sep. 1994.

[2] L. Harn, " New digital signature scheme based on discrete logarithm, M Electronics Letters, Vol. 30, No. 5, pp. 396-298, Mar. 1994.

[3] SK Langford, “Threshold DSS Signatures without a Trusted Party,” Advances in Cryptology-Crypto '95 proceedings, Springer-Verlag, pp. 397-409, 1995. Please refer to the fourth figure, which shows the difference Forms for multiple signature mechanisms. As shown in the table, the mechanism of the present invention provides message restoration capabilities. And the size of the signature transmitted by the mechanism will not increase with the increase in the number of signatories. Because the signing message does not have to be exchanged between participants, the total communication cost of the mechanism of the present invention is lower than other mechanisms. The (Λ threshold multi-signature mechanism of the present invention is a group authorization mechanism that is most suitable for mobile network applications. Although the present invention has been described in its related preferred embodiments, its combination 32 200418297 is not intended to limit the present invention, it should be It is understood that any person skilled in the art can make various modifications and changes without departing from the spirit and scope of the present invention, without departing from the spirit and scope of the patent scope of the present invention. ^ The present invention The scope of protection shall be determined by the scope of the attached patent application. The first figure shows a form for explaining the digital signature mechanism of the prior art. • The second figure shows the form for explaining the A form for a multiple digital signature mechanism with a message restoration function. The third figure shows a table for explaining a threshold multiple signature mechanism with a message restoration function according to the present invention. The fourth figure shows a table for explaining the comparison of different multiple signatures. Chapter mechanism table.

Claims (1)

200418297 Please turn over the range 1. A computer-implemented method with a multi-signature mechanism with message restoration function to generate and verify digital signatures, where the system coefficient is a large prime A α and a one-way hash function (one-way hash function) Η, multiple signers generate a continuous digital signature for a message m, and randomly select their private key X: between 0 and / 7- /, so that gccKX ^ ,, = 1, then calculate Y; = (a) Xi mod ;; (the remainder obtained by dividing by p) shall be regarded as its public golden picture, and the law system includes the steps: For an initial signer of one of the multiple signers, , Sign the message M with appropriate redundancy, M is encrypted by the signer ’s private key) 0 and becomes ciphertext m; a random number 厶 is selected between 1 and / 7-1, and a random number (a ) -ir / the remainder rl 〇 [m · (a) -kl] mod p) obtained by dividing the product of m and the message m by p, and calculate one by [XI-(々 /-rl)] divided by p-1 The remainder si (Ξ [χι-(h -r 1)] mod (p-1)) »sends (n, Sl, H (M)) to all other signers; with an i-th signer (Of which 2 Si S / 7) uses Υ1 · γ1 · (a) rl- sl restores the ciphertext m, where the restored ciphertext m is marked here as m ': and the authenticity of the signature (n, Si) is verified by using the public key of the initial signer; For the i-th signer (where 2 S 1 < / 7), is the receiver (n, Sl, H (M)), choose a random number between 1 and p-1, and calculate from ⑻- 々 / η (ξ [m · (a) -h] / 77W / 0 '34 200418297 and the remainder of the product of the product of m and p divided by p and calculate one by [Xi-(h- Π)] divided by ρ -l The remainder 5 丨 (5 [乂 卜 (上 / -ήΥ] mod (p-1)) ·, returns (n, Sl) to the initial signatory; _ According to any individual sign received Chapter (n, sd, of which 2 S i S η ', by the initial signer, restores the ciphertext m using Y Bu π (a) ri-si' once the public funds of the first signer are borrowed Key to verify the authenticity of the individual signature (n, sO; for the initial signer, R (Km · (a)-U / -rl)-···-(im / 7)] mod / 7) and S (Ξ Rl · [si + s2 + ··. + S / 7] mod (广 1)) 'combine a multi-signature for the message M with n signers (R S, H (M)); and send the multiple signature to an external verifier; for the external verifier, it is based on the combined multiple digital signature (R, S, Η ( M)) 'Verify the authenticity of the multi-signature, and restore the message m from the multi-signature by using the public key Yi (of which 1 si < knife) of all signers. 2. The computer-implemented method as described in item 1 of the scope of patent application, wherein step (2) further includes the step of: decrypting m 'to the text M' by using the public key of the initial signatory; if M 'satisfies, etc. Formula H (M ') = Xun: ^) 111 (^;?, Then the first individual signer is used to verify the authenticity of the basic individual signature (ru s!). 35 200418297 The computer-implemented method according to item 1, wherein step (4) further includes the steps: if the two messages are consistent, that is, the information restored from the individual signature is consistent with the original message, then verify the individual signature ( n, Si), and after individual signatures (n, s.) are successfully verified, by executing ri · m-1 & [m * (a) -kj · m-1] mod p = mod p) Restore (〇0-h · n from. · ㈣ 4. The computer-implemented method as described in item 1 of the scope of patent application, wherein step (6) further includes the step: using Π YimodA where 1 S i S /; ) Determine the group public key Y; restore m 'using Y · R · (cx) -SR; decrypt m' into the text M 'by using the public key of the initial signer; and If M 'satisfies the equation H (M') = take] ^) 111〇 (1; 7, then the first individual signer is used to verify the authenticity of the basic individual signature (n, Sl). 5. — A computer-implemented method with a (t, η) threshold multiple signature mechanism with message restoration function to generate and verify digital signatures, where the system coefficient is a large prime number A ° ^ and a one-way hash function (one-way hash function) Η, multiple signers generate a continuous digital signature for a message m, and randomly select their private key X: between 0 and 0, so that gcd (X: ,, is = 1, Then calculate Υ, ξ (a) Xi mod / 7 as its open gold loss, the method includes the steps: 36 200418297 1 1) For an i-th signer, choose one of the M items Random polynomial ^ 00, so that ... mod (^-/), where X is the private key of the i-th signer; and it will be transmitted to IM 1 Sn in a secure channel, and j 妾 i), and Broadcast V⑹modi ?; (2) For one of the multiple signatories, the initial signatory, signed a message M with appropriate redundancy, and M used the private money of the signatory X! Becomes ciphertext m after encryption; a random number h is selected between 1 and / 7-1, and a remainder rl (4m ·) obtained by dividing the product of (a) -h and message m by ρ (a) -i: /] / 77 (9 (// 7), and calculate the remainder sl (4X1-(h -rl) obtained by dividing [XI-U / · rl) + ΩΙΜ] by ρ-l ) + Ωΐίΐ] mod (pD) »Send (n, Sl, H (M)) to all other signers; Ω1 ^ (X / yUl) 1110 ^ / 7'1)) where ^ can only be calculated by, Because only Ui knows every A (Zl), where any j is off 1, and because A = (Π-^-mod (pl)) is a public 値, the 値 has no secret information; (3) by An i-th signer (of which 2 S i < /), restores the ciphertext m using the script XlL · · rl · (a) rl-sl; and 37 200418297 by using the public money of the initial signer Key to verify the authenticity of the signature (r !, s!): '~ N Λ ^ J \ cxfjiXx) mod {p- \) where the restored ciphertext m is labeled m', and ~ + l; (4) For the first signatory (of which 2 Si < /?), It is a receipt:, n, Sl H (M)), select a random number between 1 and M ^, and Calculate the remainder ri (e [m * (aj-h] / Z7W… P) obtained by dividing the product of field (a) -h · and message m by P, and calculate one by [Xi-(i: /-ri )-QiLi] The remainder si (s [Xi-{ki-ri)-ΩιΙι] mod (p-1)) obtained by dividing by ρ-l; and returns (n, sd to the initial signatory; Ξ Z , A) mo❹ 一 1} L / Ξ Π ——mod (pl) Ganzhong j = t + i and 4 = 1 to correct 4 "Ά; (5) According to any of the individual signatures received (n, Si), where 2 S i S t 'uses the initial signer to restore the ciphertext m using Yi / XiL · · ri · (a) ri-si, and borrows the open money of the i-th signer Key to verify the authenticity of the individual signature (n, Si); Ai Ξ n ^ /; U,) niod (/ 7-l) where 丨 (6) For an external signatory, R (= [m · (a)-(h-rl)-···-(ir " r,)] mod / 0 and S (Rl · [si + s2 + ··. + sr] mod (/ 7-1) ), Combining a multi-signature (R, S, H (M)) for the message M with n signers; and sending the multi-signature to an external verifier; 38 200418297 (7) For an external verification In the case of The combined multiple digital signature (R, S, Η (Μ)) of Γ interest M is used to verify the authenticity of the multiple signature ^, and by using the public golden mirror Y of all signers: (where 1 < i < Knife) Restore message m from multiple signatures. 6. The computer-implemented method as described in item 5 of the scope of patent application, wherein step (3) further includes the steps of: '' decrypting m 'into the text M' by using the public key of the initial signatory; and if M 'Meet the equation H (M') = H (M) mod; 7, then the i-th signer is used to verify the authenticity of the basic individual signature (n, Sl). 7. The computer-implemented method described in item 5 of the scope of patent application, wherein step (5) further includes the steps: If the two messages are consistent, that is, the information restored from the individual signature is consistent with the original message, then Verify the authenticity of the individual signature (n, Sl); and after the individual signature (n, Sl) is successfully verified, execute ri · mi (ξ [m · {d) -ki · m-1] mod p ξ {a) -kl mod p) restores (a) -h · 777M / 7 from r. 8. The computer-implemented method as described in item 5 of the scope of patent application, wherein step (7) further includes the steps: using Π Yi modX where 1 < 1 < W determines the group public key γ; using Y · R · ( a)-SR restores m '; decrypt m' to 200418297 'M9 by using the public key of the initial signer; and-if M' satisfies the equation HCW) = H (M) mod / 7, then The authenticity of the basic individual signature (n, Sl) is verified by the first signatory. □ mm (Appeal 丨, _ Touch Lion Show) 40